Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-10495

Tolerate absence of AD-SIGNEDPATH [rhel-8.10]

XMLWordPrintable

    • krb5-1.18.2-26.el8_9
    • None
    • None
    • ZStream
    • 7
    • rhel-sst-idm-ipa
    • 13
    • 14
    • 5
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4, 2023-Q4-Bravo-S5, 2023-Q4-Bravo-S6
    • Approved Blocker
    • Bug Fix
    • Hide
      .Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

      Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

      With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.
      Show
      .Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute. With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.
    • Done
    • None

      Cloned from https://pagure.io/freeipa/issue/9448

      ***
      Upstream mailing list discussion thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FLZYF6YKRRU5DIJ6RCYLJKI6Y2MGRE4B/

      If evidence ticket is issued by IPA KDC running krb5 1.20+, IPA KDC running krb5 1.18.2 or earlier will fail the request with a KRB5KDC_ERR_BADOPTION error ("KDC can't fulfill requested option"):

       

      Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ : handle_authdata (-1765328371) Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.5: HANDLE_AUTHDATA: authtime 1694078668, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, KDC can't fulfill requested option Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): ... CONSTRAINED-DELEGATION s4u-client=host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): closing down fd 12

       

            [RHEL-10495] Tolerate absence of AD-SIGNEDPATH [rhel-8.10]

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:3044

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:3044

            Dominika Borges added a comment -

            The release notes text is now updated with suggestions from the peer review.

            Dominika Borges added a comment - The release notes text is now updated with suggestions from the peer review.

            Dominika Borges added a comment -

            Hi jrische@redhat.com, thanks for the review. I updated the text and will move to the peer review.
            Regarding using the present perfect tense, I believe it reflects that the resolution has occurred in the past and currently the issue is fixed. I'll check this with another writer

            Dominika Borges added a comment - Hi jrische@redhat.com , thanks for the review. I updated the text and will move to the peer review. Regarding using the present perfect tense, I believe it reflects that the resolution has occurred in the past and currently the issue is fixed. I'll check this with another writer

            Julien Rische added a comment -

            Hello Dominika,
            Sorry about the delay. I would just make these comments:

            • "A compatibility issue has occurred between [...]": It sounds like it is a ad hoc thing, while it is actually systematic. Without this update, the failure will occur each time this scenario happen. So I'd rather say "A compatibility issues occurs between [...]"
            • "the older KDC failed the ticket granting service request": I feel like "to fail the request" is not the best expression here. I would rather say "the older KDC rejects the ticket granting service request". It is not really a bug, it's just that the request is missing some data that are required by the 1.20 KDC by default.

            The rest is good as it is.

            Julien Rische added a comment - Hello Dominika, Sorry about the delay. I would just make these comments: "A compatibility issue has occurred between [...] ": It sounds like it is a ad hoc thing, while it is actually systematic. Without this update, the failure will occur each time this scenario happen. So I'd rather say "A compatibility issues occurs between [...] " "the older KDC failed the ticket granting service request": I feel like "to fail the request" is not the best expression here. I would rather say "the older KDC rejects the ticket granting service request". It is not really a bug, it's just that the request is missing some data that are required by the 1.20 KDC by default. The rest is good as it is.

            Dominika Borges added a comment -

            jrische@redhat.com I added release notes text. Could you please review the text to see if it is accurate?

            Dominika Borges added a comment - jrische@redhat.com I added release notes text. Could you please review the text to see if it is accurate?

            gitlab-bot added a comment -

            Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath:

            ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

            gitlab-bot added a comment - Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath : ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

            Rafael Jeffman added a comment -

            The fix will be inherited from RHEL 8.9 bulid.

            Rafael Jeffman added a comment - The fix will be inherited from RHEL 8.9 bulid.

            gitlab-bot added a comment -

            Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch rhel_8.10_adsignedpath:

            ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10]

            gitlab-bot added a comment - Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch rhel_8.10_adsignedpath : ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10]

            gitlab-bot added a comment -

            Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath:

            ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

            gitlab-bot added a comment - Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath : ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

              rjeffman@redhat.com Rafael Jeffman
              ftrivino@redhat.com Francisco Trivino Garcia
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: